Christof Meerwald wrote:
Hi,
since about Friday late evening I am seeing lots of pdns errors in my syslog
like:
Not authoritative for '', sending servfail to 76.9.31.42 (recursion was
desired)
Over in comp.protocols.dns.bind there is already some discussion about these
DNS requests (which apparently use a spoofed source IP address).
Is there anything a DNS server/PowerDNS can do to avoid being used as a DDoS
reflector, like rate-limiting SERVFAILs per IP address? What's the general
opinion?
The idea of the DOS-attack is to try and get the authoritive or public
recursive nameserver to send a larger amount of packets or size then the
original request. PowerDNS (atleast the installations I checked) doesn't
do that, it just sends a ServFail of the pretty much the same size.
Other then dropping the packet with a firewall-rule as I have (that
IP-address specifically, I actually will remove it after it has stopped
!) I don't think there is a lot you could do. Maybe someone could
implement some kind of rules in PowerDNS to, again not answer this
query specifically. But well, that would just be wrong and make it
easier to make a DNS cache poisoning attack at some recursor more effective.
Only other thing I can think about is, that maybe a rate limiter
could be kinda useful.
As I've mentioned in other fora, people should just filter their
egress traffic from spoofed addresses, that would get rid of the
whole problem.
Christof
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
